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(57) Abstract 



A firewall is used to achieve networic s^aration widiin a computing system having a plurality of itetwoik interfaces. A plurality 
of regions is defined within the firewall and a set of policies is configured for each of the plurality of regions. The firewall restricts 
communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the 
plurality of regions to which the one of the plurality of network interfaces has been assigned. 
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SYSTEM AND METHOD FOR CONTROLLING 
INTERACTIONS BETWEEN NETWORKS 

5 

Field of the Invention 

The present invention relates generally to network security, and 
more particularly to a system and method of grouping networks to enforce a 
security policy. 

10 Background of the Invention 

Recent developments in technology have made access easier to 
publicly available computer networks, such as the Intemet. Organizations are 
increasingly turning to external networks such as the Intemet to foster 
communication between employees, suppliers and clients. With this increased 
15 access comes an increased vulnerability to malicious activities on the part of 
both people inside and outside the organization. Firewalls have become a key 
tool in controlling the flow of data between internal networks and these extemal 
networks. 

A firewall is a system which enforces a security policy on 
20 communication traffic entering and leaving an internal network. Firewalls are 
generally developed on one or more of three models: the screening router, the 
bastion host, and the dual homed gateway. These models are described in U.S. 
Patent No. 5,623,601 to Vu, issued April 22, 1997 and entitled APPARATUS - • 
AND METHOD FOR PROVIDIISIG A SECURE GATEWAY FOR 
25 COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS / 
(Vu), which is hereby incorporated herein by reference. 

Vu describes packet filters as a more sophisticated type of 
screening that operates on, the protocol level. Packet filters are generally host- : 
based applications which permit certain communications over predefined ports. 
30 Packet filters may have associated rule bases and operate on the principle of that - 
which is not expressly permitted is prohibited. Public networks such as the 
Intemet operate in TCP/IP protocol. A UNIX operating systehi running TCP/IP:' 
has a capacity of 64K communication ports. It is therefore generally considered 
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impractical tc constnict and maintain ?- coTnpr?ih?nsivp. nile b??Re fo^ a packet, 
filter application. Besides, packet filtering is implemented using the simple 
Internet Protocol (IP) packet filtering niechanisms which are not regarded as 
being robust enough to permit the implementation of an adeiquate level of 
5 protection. The principal drawback of packet filters, according to Vu, is that 
they are executed by the operating system kernel and there is a limited capacity 
at that level to perfomi screening functions. As noted above, protocols may be 
piggybacked to either bypass or fool packet filtering mechanisms and may 
pennit skilled intruders to access the private network. 
10 Accordingly, it is an object of this invention is to provide a 

method for coiitrolling interiactions between networks by the use of firewalls 
with defined regions. 

Slnmniary of the Tnvention 
The present invention is directed to a system and method of 

1 5 achieving network separation within a computing system having a plurahty of 
network interfaces. One aspect of the invention is a method comprising the steps 
of defining a plurality of regions; configuring a set of policies for each of the 
plurality of regions- assigiiiiag' each of the plurality of network interfaces to only 
one of the plurality of regions, Wherein at least one of the plurality of network 

20 interfaces is ^signed to a particular region; and restricting communication to 

and firom each of the plurality of network interfaces in accordance with the set of 
policies configured for the one of the plurality of regions to which the one of the 
plurality of network Werfaces has been ass:igned. 

Another aspebt of the invention is a secure server comprising an 

25 operating system kernel; a pluirality of network interfaces which communicate 
with the operating system kemel;' and a firewall comprising a plurality of 
regions, wherein a set of poUcies have been configured for each of tiie plurahty 
of regions; wherein each of the plurality of network interfaces is assigned to only 
one of the plurality of regions; wherein at least one of the plurality of network 

30 interfaces is assigned to a particular region; and wherein communication to and 
fi*om each of the plurality of network interfaces is restricted in accordance with 
the set of policies configured for the one of the plurality of regions to which the 
one of the plurality of network interfaces has been assigned. 
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A feature of the present invention is the application level 
approach .to security enforcement, wherein type enforcement is integral to the 
operating system. Still another feature is protection against attacks including 
intruders into the computer system. Yet. another feature is a new graphical user 
5 interface (GUI) in effective Access Control Language (ACL). A further feature 
of the present invention is a visual access control system. Another feature is 
. embedded support for Virtual Private Networking (VPN). 

Rrief Dcsc pp^jn" of the Drawings 
Figure 1 depicts an implementation of the firewall of the present invention. 
10 Figure la shows a representative computing system protected by a firewall. 
Figure lb depicts another computing system protected by a firewall. 
Figure 2 shows the regions and their members as defined in the present 
invention. 

Figure 3, is a graphical representation of ACL commands. 

15 Figure. 4 is a flow diagram for a. vim?, alert. ^ 

Figure 5 depicts.a method, by which inporning data packets are processed 
in accordance witih,the^presenXii\yention. . ^ , 
Df^faHed Dpspriptinn of the Pref prred Kmhodiments 
In the following detai led des cription of the preftrred 

20 embodiments, reference is made to the accompanying drawings which form a 
part hereof, and in which is shown by.w.ay of iljustration specific embodiments 
in which the invention may be practiced, It is to be understood that other 
embodiments may be utilized and stnictural, changes may be made without 
departing from the scope of the present invention. 

25 . Figure 1 depicts.a block diagram showing the relationship 

between a firewall 34 in accordance with this invention, the Internet 36, a Secure 
r . Server Network (SSN) 38, a Company Private Net 40, and a Partner Shared Net 
42. As shown in Figure 1, communications to and firom any other servers or 
nety/orks goes through the firewall 34. , 

30 . , Two representa-ti ve firewall-protected computing systems are 

shown in Figures la ^ind lb. System 10 in Figure la includes an internal 
network 12 co.imected through firewall 14 to. external network 16. A server 18 
and one or more ^yo^kstations 20 are connected to internal network 12 and 
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corrmunicate through firewall 14 with servers or workstations on external 
network 16. 

System 30 in Figure lb includes an internal network 32 connected 
through firewall 34 to external network 36. A server 38 and one or more 
5 workstations 40 are connected to internal network 32. In addition, a server 42 is 
connected through network 44 to firewall 34. Workstations 40 communicate 
through firewall 14 with servers or workstations on extemal network 16 and with 
server 42 on network 44. In one embodiment network 44 and server 42 are in a 
sort oif demilitarized zone (t)MZ) providing protected access to server 42 to 

10 internal users and to extemal entities. 

In one embodiment, firewalls 14 and 34 implement a 
region-based security system as will bb discussed below. 

Regions are a new and flexible way of organizing systems such as 
systems 10 arid 30. Regions let you group both physical interfaces (network 

15 cards) and Virtual Private Networks (VPNs) into areas of similar trust and 

security needs. Regions (along with services) provide the foundation on which 
every access rule is built By grouping together networks and VPNs that require 
the same type of security, you (eliminate the need to eriter multiple versions of 
the same access rule for each network or VPN. In doing so, regions give you the 

20 flexibility to tailor a security policy that meets the specific needs of your 
network environment. 

One eiribodimerit of a region-based system is shovra in Fijgure 1. 
In Fig. 1, firewall 34 coordinates cbnimunication between internal network 32 
(e.g., a company private network), extemal network 36 (e.g., the Internet) and 

25 DMZ network 44 (e.g., a secure server network). In one such embodiment, 

firewall 34 also controls virtual private network (VPN) communication between 
extemal entities and networks 32 arid 44. Regions are'defiried and one or more 
networks is assigned to'eack region. In the example shown in Figure 3, the 
regions are Sales Office, Woridwide Customer Service, Worldwide Sales, Secure 

30 *DMZ' and R&D Network. R&D Network includes the trusted internal network. 
Sales Office and Secure *DMZ' are within slightiy less trusted regions. 
Worldwide Customer Sisrvice and Worldwide Sales come in unencrypted over 
the Internet and are, therefore, the least trusted. 
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Firewall 34 protects regions from unauthorized access through the 
use of access rules. For each connection attempt, the Firewall checks it against 
the defined access rules. The rule that matches the characteristics of the 
coimection request is used to detennine whether the connection should be 
5 allowed or denied. 

The operating system on which the firewall 34 is implemented is 
. the BSDI 3.1 version of UNIX, a security hardened operating system with each 
appUcation separated out, and protected by type enforcement technplogy. The 
fiinctions of firewall 34 are all integrated with the operating system, and each 
10 one is completely compartmentalized and secured on its own, and thpn bound by 
type enforcement control. . 

Type enforcenient, which .is implemented within the operating 
system itself, assures a very high level of security by dividing the entire firewall 
into domains and file types. Domains are restricted environments for 
15 applications, such as FTP and Telnet. A domain is set up to handle one kind of 
application only, and that application runs solely in its own domain. File types 
are named groups of files and subdirectories. A type can include any number of 
.files, but each file on the system belongs to only one type. 

There is no concept of a root super-user with overall control. 
20 Type enforcement is based on the security principle of least privilege: any 
program executing on the system is given only the resources and privileges it 
. needs to accomplish its tasks, . On the firewall of this invention, type 
enforcement, enforces the least privilege concept by cpntrolling all the 
interactions between domains and file. types. Domains must h^ve explicit 
25 permission to access. specific file types, communicate with other domains, or 
access system fiinctions. Any attempts to the contrary fail as if the files did not 
exist. The type enforcement policy is mandatory, and nothing short of shutting 
thC; system down and recompiling the type enforcement policy datatiase can 

change it. . , . ; , . , 

30 Type enfqrcenient is described in two pending patent applications 

entitled SYSTEM AND METHOD FOR PROVipiNG SECURE 
INTERNETWORK SERVICES, Serial No, 08/322,078, filed October 12, 1994, 
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2nd SYSTEM AND METHOD FOR ACHreVTNG NETWORK SEPARATION, 
Serial No. 08/599,232, filed February 9, 1996. 

Essentially, a type enforcement scheme provides for the secure 
transfer of data between a workstation coimected to a private network and a 
5 remote computer connected to an unsecured network, A secure computer is 
inserted into the private network to serve as the gateway to the unsecured 
network and a client subsystem is added to the workstation in order to control the 
transfer of data firom the workstation to the secure computer. The secure 
computer includes a private network interface connected to the private network, 

10 an unsecured network interface connected to the unsecured network, wherein the 
unsecured network interface includes means for encrypting data to be transferred 
fi-oni the first workstation to the remote computer, a server fimction for 
transferring data between the private network interface and the unsecured 
network interface and a filter function for filtering data transferred between the 

15 remote computer arid the workkation. 

The firewall of the present invention features application-level 
gateways, which negotiate communications and nisver make a direct connection 
between two different networks^ Hence, unlike packet fihering, which, as 
described in the prior art, applies rules on every incoming packet of data, the 

20 firewall applies rules applicable to the network or port in which data packets are 
entering. The gateways have a detailed understanding of the networking services 
they rnanage. This architectxire isolates activity between network interfaces by 
shutting off all direct commxmication between them. Instead, application data is 
transferred in a sanitized form, between the opposite sides of the gateway. 

25 In addition to the firewall's secured type enforced operating 

system and application gateway architecture, the system has been designed to 
defend against known network penetration and denial of service attacks. 

Finding out who and Where attacks are originating fi*om is a key 
requirement to taking corrective action. The firewall also includes intruder 

30 response that allows administrators to obtain all the information available about 
a potential intruder. If an attack is detected oi: an alarm is triggered, the intruder 
response mechanism collects information on the attacker, their source, and the 
route they are using to reach tiie system. 
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In addition to real-rtime response via pager or SNMP, alarms can 
be configured to automatically print results or to email them to the designated 
person. 

The growing need for applying specific security policies and 
5 access requirements to complex organizations requires a new way of managing 
firewalls - regions. Regions are groupings of physical interfaces (network cards) 
and virtual networks (VPNs) into entities of similar trust. 

. Suppose a company has thousands of roaming users connecting to 
the company network from encrypted virtual private network ("VPN") clients - 

1 0 managing such users one at a time would be an enormous task. It would be 
easier to organize those roaming users into groups having, as an example, full 
access, medium access, and limited access rights. Figure 2 depicts regions 
Internet, Secure 'DMZ*, R&D Network, Sales Offices, Worldwide Customer 
Service, and Worldwide Sales. In Figure 2, all Sales or Customer Support 

1 5 departments in the company's offices can be grouped together into regions 
Worldwide Sales and Worldwide Customer Service, respectively. 

Regions permit the grouping of networks and VPNs that require 
the same type of secxurity, thereby eliminating the need to enter multiple versions 
of the same access rule for each netv/ork or VPN. Thus regions allow flexit)ility 

20 in tailoring a security policy. In defining regions, the first task is to group 

together networks or VPNs that require the same type of network access. Each 
network interface card or VPN that is grouped in a region is considered a 
member of that region. A region can consist of the following members: 

• an interface card, 
25 . • a VPN, 

• a group of VPNs, 

• an interface card and a VPN, or 

an interface card and a group of VPNs. 

Hence in Figure 2, userl, user2, user3, mgrl, and mgr2 of Region 
30 named R&D Network would have tiie same rights defined for the R.&D Region. . 
In the same way. Roaming Sales 1, Roaming Sales 2, Roaming Sales 3, etc. 
would have the same rights accorded to all members of Region named Sales 
Offices. In Figure 2, userl, user2. Roaming Sales 1, Roaming Sales 2, mgrl. 
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for user2 to logon the workstation onto which user3 might ordinarily logon, or 
for mgrl to logon the workstation onto which mgr3 might ordinarily logon. 

Every region is protected from every other region as defined in 
5 the firewall of the present invention. All connections to and from each region 
are first examined by the firewall. Regions may communicate with each other 
only if an appropriate access rule has been defined. For each access rule, first, 
the services that the rule will control must be defined, then, second, the regions 
that the connection is traveling between must also be defined. For example, if 
1 0 the Internal region is to be allowed to access Telnet services on the Internet 
region, the access rule 'must specify Telnet as the service that the rule controls 
and specify the From: region 'as Internal and the To: region as Internet. Hence, 
the firewall of the present invention does not allow traffic to pass directly 
through the firewall in any diriection. Region to Region connections are made 
15 via an application aware gateway. At)plicatioh-level gateways understand and 
interpret network pi-otbcol and provide increased access control ability. 

The ACLs are the heart and soul of the firewall. For each 
connection attempt, the firewall checks the ACLs for permissions on use and for 
constraints fdi: the connection. Constraints can include: encryption requirements, 
20 authenticatioh reqiiiremerits, tinie of day rbstrictions, concurrent sessions 
restrictions, connection redirectioii; address or host name restrictions, user 
restrictions aiid so fortial 

Access rules are the way in which the firewall protects regions 
from unauthorized access. For each coimection attempt, the firewall checks it 
25 against the defined access rules. The rule that matches the characteristics of the 
connection request is used to determine whether the connection should be 
allowed or denied. 

With the firewall of the present invention, access rules are created 
in a completely new way - using decision trees. Knowing that an access rule is 
30 based bn a series of decisions made about a connection, the firewall permits the 
building of an access rule based on "nodes" of decision criteria. A node can be 
added to check for such criteria as the time of day, whether the connection uses 
the appropriate authentication or encryption, the user or groups iiiitiating the 
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connection request or the IP address or hqst of the connection. Each node is 
cornpared against an incoming connection request and you determine whether 
the connection is. allowed or denied based on the results of the node comparison. 

Every access rule must consist of two specific nodes. The first, 
5 the Services node, decides which service(s) the rule will control. The. second, the 
Froni/To node determines the soiu*pe region and destination region of the 
connection. Once the services and regions, for the rule are established, more 
nodes can be added to determine specific details about the connection. ^ 

This approach provides, a new. way, to control network, access. The 

10 Firewall presents access rules as visual decision tree diagranis.^ Each diagram 
contains building blocks or nodes of information that apply a condition to or 
make a . decision about the connection. At any point, you .can add alerts to , 
indicate when a particular ppint in an access rule .has been reached or filters, to 
check for authentication, encryptiqii, WWW blqcking or FTP cpminands, 

15 In addition to the Allow or Deny terminal nodes, there are four 

other types of nodes you. can add to. an access rule: decision nodes, filter;nodes, 
redirects and alerts. Decision nodes will bc.discussed next. . 

At any point in an access rule, .you pan check a .connectionTequest 
based on the time of day, its users and groups, its IP^ addresses and hosts.o^ 

20 maximum concurrent session? At these decision nodes,. the Fir^ewall <jQtermines 
whether the connection is true or false. i.f the .c.Qupectipn mee^^^^ criteria listed 
in the node, the connection is considered true and proce,e4s along a "tnie" . 
branch. If the connection does not meet the node criteria, the connection is 
considered false and proceeds along a "false" branch. . 

25 You can apply a filter at a^iy point in an access nile. Filters differ 

firom decision nodes in that they do not determine.if a connection is true or false. 
Instead, filters attempt to apply a condition to the connection. If the filter,can be 
applied to the connection, the filter is performed and the connection proceeds 
along the same path, . If the filter .does not apply to the connection, the filter is 

30 ignored and the connection still proceeds. In one embodiment,, the filter node . 
can force user authentication or encryption, can use filters to block particular 
. WWW connections, or can filter the connection to see if it contains Java or 
ActiveX content. , , . . . , 
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^ rsv.Tits Tiod.c is — pcint in Hn 3ccs££ mis v/iisirs sciircc ci* 
destination addresses are mapped to other source or destination addresses. 
Destination IP address rewrites allow an inbound connection through NAT 
address hiding to be remapped to a destination inside the NAT barrier. Source 
5 address rewrites can be used on outbound connections to make the source appear 
to be one of many external addresses. This process allows the internal hosts to be 
aliased to external addresses. Li one embodiment, rewrites can be based on any 
connection criteria, including users. 

At any point in an access rule, you can add an alert that notifies 
10 recipients when a connection has reached a particular point in an access rule. 

Using these alerts, yoii can monitor specific users* IP addresses and other criteria 
contained within a specific access rule. 

When a connection request reaches a ribde in a rule, it is checked 
against the information in the iiode. If the connection is a filter node 72, the filter 
15 condition is either applied or ignored. Only one branch leads out of a filter node. 
If the node happens to be a decision node, there are two possible results. If the 
connection meets the criteria listed, it is considered true and follows the "true" 
branch of the access rule. Otherwise, the connection is considered "false" and 
follows the false branch. 
20 Referring to Figure 3, the design for this feature falls almost 

directly out of the GUI representation. The GUI presents access rules as a 
decision tree with special kiiids of nodes which make true or false decisions. 
Each decision leads to a braiich which contains more nodes. Along the way, 
filters caii be acqixired. These filters are not processed by the kernel with the 
exception of redirects (rewrite destination address or port). In Figure 3, the time 
of day is checked (50). If during business hours, the user is checked (52). 
Certain users are allowed, so connection is allowed (54) as indicated by the 
check mark. However, some users (56) require a SniartFilter check (58)| Where- 
as everyone else is denied (60). 
30 The firewall of the present invention introduces a revolutionary 

means to manage network access control. Traditional firewalls provide lists of 
access control rules, but as more niles and controls are added, these lists become 
unmanageable. As shown in Figure 3, the present invention preseiits a visual 
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means by which access control can be defined and easily understood through 
flowchai;^ style diagrams. 

The firewall's access flow diagrams allow any decision criteria to 
be based on any other decision, in any order. If the administrator wants to check 
5 user first, then time, then apply a specific access policy, they can. In addition, 
the flow diagrams are object oriented for greater power. 

Access control rules on the firewall can be defined with flexibiKty 
previously unknown in the industry. This allows, for example, for different web 
filtering polices on a per-user basis, the ability to deny a connection if it isn*t 
1 0 encrypted, authenticate a connection by strong token and another connection by 
password. Access rules can incorporate an^.pf the following criteria: 

• Source and destination Region . _ ^ . . ; . . . , 

• Users and groups 

• Source and destination addresses, networks, hosts, and domains 
15 • Type of service (WWW, Emml, Telne^ 

• . Timeofday, Day ofweek 

Load balancing , . 

• Maximum number of concurrent sessions 
Required level of encryption 

20 • Required level of authentication (sfrong token, password, etc.) 

. • . Protocol filters (WWW, FTP^- j^^^^^^ . . 

• , SmartFilter™ URL blocking policy (see later in this section) 
Multiple extenial IP address connected to 

• Source and destination service. port and address rewrites 

25 ] . . , , ... _ . . 

The firewairs access control diagrams include the capability of /P 
address rewrites, which allows a connection inbound through NAT address 
hiding to be remapped to a destination inside, the NATbarrier. ^ Also, rewrites 
can be used on outbound connections to make the source appear to be one of 
30 many external addresses. This allows internal hosts to be aliased to external 
addresses. . , 

Rewrites can be.based on any connection criteria, including users. 
So the administrator can have anonymous FTP connections directed to a pubhc 
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access FTP S^TV^T OP the Secure Server Net. but remap users t*^ their interna! 
machines. 

The firewairs access control diagrams also include the capability 
of sending alerts, with an administ-ator-defined message, based on any 
5 connection decision. Alerts can be dropped into the access flow diagrams at any 
point, tf a connection reaches that point in the diagram, the alert is triggered. 
For example, in Figure 4, a check for viruses is performed on a file (70). If a 
virus is found, the administrator is alerted (72), and the transfer is redirected to a 
safe location for later inspection (74). 

10 The ACLs consist of all the required kernel code. This is all the 

code that implements the rules themselves in the kernel including: build, 
modifying, deleting, and querying the rules. Also included are the system calls 
that the user level programs need to use the ACLs. The parsing of the return 
values, especially the filters are not part of the ACLs themselves since the filter 

15 rules are defined dynamically by the programs issuing the system calls to build 
the ACLs. It is the intent that the kernel be flexible enough to handle all the 
filter requirements without needing inddificatiohs for future enliancements. 

The AC^Ls themselves must satisfy the requirements laid oiit by 
the GUI design. This dictates to a large degree how the rules must be 

20 implemented. Since the user has no direct' access to the ACLs (rather they use 
the user interface), there are rib ease of use cohcems here except to say that the 
ACLs must be something the developers can work with easily. Hence, there 
exists a good set of tools to debug the ACLs: 

Virtual Private Networking (VPN) has been embedded into the 

25 architecture of the firewall of the present invention, making it an operating 

characteristic of the operating system, as opposed to other firewalls which added 
VPN later. Every access control is available to VPN connections in exactly the 
same way as for physically coniiected networks: user controls, IP restrictions, 
protocol filters, address hiding, multi-homing, and more. VPN is a method of 

3 0 authenticating and tf ahspareiitly encrypting bi-directibrial data transmissions via 
the Internet. Both gateway to gateway network links as well as roaming users on 
VPN enabled laptops are utilizing the security and cost effectiveness of VPN 
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Internet encrypted communications. VPN technqlogy is embedded in the core 
design of the firewall of the present invention. 

There are usually 2 sockets per session, client_sock and 
server_sock. Each socket has two endpoints, so there can be up to four different 
5 IP addresses. Note that loc_dst_addr cpuld be anything, if the firewall bound to 
a wildcard address. Here are diagrams for BFS Iiibound, BPS Outbound, and the 
firewall of the present invention. 

client_sock . server_sock 

1 0 client (cli_addr) r > [firewall (invention) ] — > (srv_addr) 

server ... . . • v^. ; =-%^- • : : - 

(loc^dst^addr) • : • , i Ooc_src_addr) ^ 

. The SIGWINCH si^al is used to. force all.ACLs to be rechecked 
1 5 and for proxies to re-initialize themselves (for proxies that use config files). 
Most proxies will-handle this signal themselves, l)iit if secupd did an ACL 
before starting a proxy, it must also dq.thp recheplf,.. The SIC}^yps^CH signal will 
come firom the backend, which will , use killp gO. to, signal all the inetd daemons, 
secured processes, and their child proxies or sejyere. Note thaj the default action 
20 for SIGWINCH is ignore, so inetd did not n^^ed^tp be modified. . , ^ 

Some transient proxies, usejhe SIGALRM internally to do idle 
proxy timeouts (tcpgsp, tnauthp, sqlp). , ■ , ; 

All proxies should shutdo.wn cleanly if given a SIGTERM signal. 
The backend (daemond actually) uses SIGTERM to kill inetd processes when 
25 the last service has been removed. We have modified inetd to catch SIQTERM 
and then use killpg(SIGTERM, pgid). to kill all its^ children (proxies and 
secureds). When it starts up, inetd creates a new process group .and becomes the 
leader, .which allows it to kill all children easily.. 

.Squid will re-open (not rotate) its logfiles.if given the SIGUSRl 
30 signal, and re-initialize itself if giyen SIGWINCH or SIGHUP. Note that this 
means squid does not do ACL rechecks, it treats it just, like a SIGHUP - closes 
its listen sockets and waits 30 seconds for aptive, sessions to terminate, tiien 
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connections are relatively short-lived. 

The following options are passed to secured by the backend 
writing them on the uietd.conf line: 
5 -D te__dom Set the TE domain of our child process to te_dom 

-N service_number the service number is required for ACL calls. 

secured will pass this number on to all proxies 

10 -t Specifies that secured is running a transient service (with 

the wait flag in inetd.conf). ACL checks are not done by 
secured for transient services, because the service itself 
must do ACL checks. 

15 -u Specifies that this service supports the notion of a user 

name, so secured should let service perform its own ACL 
checks. Currently only FTP, telnet and WWW support 
user names. Note: only needed for ftpp, because tnauthp 
and squid already do their own ACLs. 
20 ' ' ' ^ "■ ■ ^ ' 

The following options are passed to a proxy by the backend "writing them on the 
inetd.conf line: 

-a audit_name use *name* in call to openlogQ and for auditing 

25 -iN specify session idle timeout as N seconds 

-I N specify proxy idle timeout as N seconds (transient only) 

-P ch ^ecify descriptor port, ch=S for secure, ch=L for Ipr, 

30 ch=G for generic, otherwise, ch=N specify fixed port, or 

ch=low-high to specify a port range 



The following ACL return values are passed to short-lived proxies by secured: 
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the same service number that secured got via backend 



-c cli_rgn set cli_region 

5 -s srv_rgn set srv_region 

-D IP specify the server IP address 

-M IP specify an IP address to spoof as loc_src_addr, for 

10 . MAT-cut 

. -p N specify the server port number 

-P N specify fixed value for descriptor port 

15 

-C spoof client-side socket (typically outbound proxies) 

-S spoof server-side socket (typically inbound proxies) 

20 By letting the ACLs control so many settings, the inetdxonf lines 

are much simpler and the degree of control is much greater. For example, here 
are some BFS inetd.conf entries for inbound proxies: 

inbound__udp_relay -e 199.71.190.101 -w 65546 -u g_udp_ir -d 192.168.128.138 -m -g 0 
secured -ws 144 -wr 1 -wn 1 -1 199.71.190.121 www_X www_r_i d 192.168.125.2 -m 

25 

Here are the corresponding entries for the firewall of the present invention: 
secured -N 123 -D RGnx -t - ntpp -a ntpp 
secured -N 456 -D RGnx -t - ht^p -a httpp ' ^ 

30 The following options ^e only used for debugging purposes, 

some might be disabled oh production systems or siipjported in future releases: 
-n non-transparent proxy mode - only works for VDO-Live 
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set the user name ffte fto mux and ftpp/ftod) 

-A ch set the audit method, ch=s for syslog, ch=a for audit, ch=e 

for stderr 

5 

-m disable socket mating 

-L disable connection logging 

10 -z set non-paranoid mode, which relaxes IP address checks 

for UDP proxies 

The firewall of the present invention uses new structured audit 
calls for session logging, which include src and dst region, ACL matched, auth 
15 method, encryption state, etc, the new calls are: 

• auciit_sessi6n_begin 

• audit_sessioh_c6ntinue 

• audit_session^end 

20 • audit_log_ftp - to log FTP file transfers, includes user, filename. 



size 



audit_l6g_sirikrtfilt^r'- to log URL, action (allow/deny), blocked 



categories 



• audit_acl_deiiy - to log ACL denials 
25 • audit_ipsecl_fail - to log IPSEC failures 

audit_auth_fail - to log authentication failures 

The present firewall has incorporated the proxy- warder-interface 
(pwif) fi-om Sidewinder. We also support external authentication servers such as 
30 snk, safev^ord, securid. The pwif interface was ahready supported by tnauthp, we 
added pwif siippoft to f^p, and for GUI login. We are not using pwif for squid, 
instead we are using their build-in passwd file support. The backend will have to 
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keep the squid passwd file in sync with the static-passwd file used for ftp and 
telnet. 

Besides a simple allow/deny, the ACLs also return the following: 
from_region, to_region, destination redirects for IP and port, source redirects for 
5 IP and port, transparency settings and filters. We have standardized ACL filters 
as follows (example from acl_util.h): 
#define FILT_DELIM T 

/* . - . , ■ 

* all filters will be at least 3-characters in length 
10 * proxy ACL filters will all start with "p" , . 

* all filters should be disabled (0) by unless ACLs enable them 
*/ 

; /* generic proxy filters - all start with "pg" 
* 

15 * filt_debug filter "pgdN" sets debug level to N ^ 

* filt_crypto__from filter "pgeR:levels" requires encryption in regions R, 

* filt_crypto_to where R equals F, T, B for from_rgn, to_rgn, both, 

* filt_crypto_levels and levels is colon delimited in 
20 "rc4-40:rc4-128:des56:3desV , .i. 

* For example, pgeF:rc4-I28:3des" would force strong 
encrj^tion between the clijsnt and the firewall 



* filt_loc_auth filter "pgaX" specifies local auth 

25 * the, character X gives the method: S, s, w 

* for ST?lONG_.DNLY, STRONG_PREFER, 
WEAK_PREFER 

* 

* filt_rem_auth ^ ^ TO , , . . . , 

30 * filt_.undef_servers .filter , "pgA:" specifies list of remote auth methods, 

colon deliinited "pgA:radius:safewprd:securid:snk" 
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10 



/* generic proxy filters - see above for their defined values */ 

char filt_debug; 

char filt_crypto_from; 

char filt_crypto_to; ' 

int filt_crypto_levels; 

char fiit_loc_auth; 

char filt_rem_auth; 

char **filt_undef_servers; 

/* FTP proxy filters" - all start with "pf ' */ 



char filt_port; 
char filt_pasv; 
char filt_get; 
15 char filt_put; 

char filt_site; 
char filt_mkdir; 
char filt_rmdir; 
' char filt_delete; 
20 chair filt_rename; 

commands*/ 

charfilt_anon;^ 
anonymous */ 

u_long filt_size; 
25 } ftp_acl_filter_t; 



/* filter "pfo" disables PORT command */ 
/* filter "pfa" disables PAS V command */ 
/* filter "pfg" disables RETR command */ 
/* filter "p^" disables STOR command */ 
/* filter "pfs" disables SITE command */ 
/* filter "pfin" disables MKD command */ 
/* filter "pfi-" disables RMD command */ 
7* filter "pfd" disables DELE command */ 
/* filter "pfv" disables RNFR & RNTO 

' /* filter "pff disables USER ftp and 

/* filter "pfSN" sets N KB to max file size */ 



Here are some example filter strings, firom acMoad-c: - 

/* FTP: site, del, WWW: java, activex, cookies */ 
#define FILTER_STR1 "pfslpfd|pwj|pwa|pwcr 
30 /* generic filter: debug=3 */ 

#define FILTER_STR2 "pgdS]" 

/* debug=2, FTP: 69K, strong auth, with external auth servers */ 
#define FILTER^STlb ' "pgd21pfS69|pgaS|pgA:safeword:radiusr 
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f^QTTm Issues 

The caching WWW proxy (squid) is very interesting because it 
has its own ACL checks and non-blocking DNS interface. We leveraged this 
built-in support in our work, but it was still tricky to integrate the firewall's ACL 
5 calls while operating as a non-blocking long-Uved proxy. 

Squid supports something called proxy-authentication, but this 
will only work if someone has configured their web browser tp contact a proxy 
for all URLs. Before doing ACL checks, we use the following code to handle 
this special case: 
10 if (scc_getregion(&conn-;>me.sin_addr) = 0) 

name_valid = 1 ; /* non-transparent mode support^ proxy-auth */ 
else , " . , ; 

name_valid = 0; . /* transparent mode does not */ 

15 This will cause ACL checks for transparent HTTP requests to 

bypass user nodes, and squid will ignore auth filters. Non-transparent requests 
(where the connection is TO the firewall) will enforce any user nodes and auth 
filters in the ACL tree. 

Since the proxy might not get an authentication filter after the 

20 ACLs return NEEDS_USERNA]Vffi, the squid proxy-auth codp has been 

changed to not return a failure code if the password was not accepted. Instead we 
save some internal state, and only check this state if an authentication filter is 
returned later. 

It is worth noting that in^ non-transparent mode squid can proxy 
25 and authenticate http, gopher, ftp and wais URLs. 



Tn the Proxy ^ ^ , 

The proxy will make two calls to tiie ACLs. The first will be: 
int scc_is_service_allowed( , 
30 unsigned long service_number, 

struct sockaddr__in src_ip, 
struct spckaddr_in *dst_ip» . 

char, src, host name, . ./* usually null */ _ 
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char *dst_host_name; /* usually null */ 

char *user_name, /* null if none */ 

int nanie_valid, /* tell if name is valid */ 

/* retirni values */ ■ 
5 int &to__region; 

int &from_region; 
int &filter__text_len, 
char &filter_text, 
int rule_nanie_len, 
10 char &rule_name, 

struct sbckaddr_in &redirect_src_addr_p6rt, 
struct sockaddr_in &redirect_dst_addr_port, 
int &master_key, 

caddr_t &connectioh_id /* id for this connection */ 

15 ); ■ ■ ■ ' ' ■ ' 

The possible return values will be: 

#define ACL_DENY 0 

#define ACL_ALLOW_HIDfi_SRC 1 
20 #define ACL_ALLOW_HIDE_DST 2 

#define ACL_ALLOW_HIDE_BOTH 3 

#define ACL_ALLOW_SHOW_ALL 4 

#define ACL^RESOLVE_SRC_ADDR 5 

#define ACL_.RESOLVE_DST_ADDR 6 
25 #define ACL_NEED_MORE_FILTER_SPACE 7 ' > 

#define ACL_NEED_USER_NAME 8 

Thus the ACLs will return, for each connection, how to hide the addresses. The 
description of each of these values is as follows: 
30 serVice_hiiinber: this is a number that the backend decides and is imique per 
service or possibly per service, from and to region triplet as desired. 

src_ip: this is the source IP address of the connection. 
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dst_ip: this is the destination IP address of the connection. 

src_host_name: this is the host name based on the reverse lookup of the source 
address of the connection. This is generally only used when the kernel explicitly 
5 asks for it by returning from a previous call to sec Jts ^service jallpwed with a 
return value of ACL_RESOLVE_SRC_ADDR. 

dst_host_name: this is the host name based on the reverse lookup of the 
destination address of the connection. This is generally only used xyhen the 
1 0 kernel explicitly asks for it by returning from a previous call to ^ 

sccJs_servicejallowedv^\ih a return value pf ACLJiESpL VEj;>ST_ADDR, 

user__name: this is the user name of the person using the service. This value is 
only used when ACL_NEEDJJSER_NAME has been returned by the kernel. 
15 Use NULL, if the name has not yet been requested. Currently only FTP, telnet 
and WWW support user names. 

name_valid: this tells the ACLs whether or not a user name makes, any sense for 
this protocol. If the name_yalid flag is s^. to TRUE, then us,er decision :nodes 
20 will be used (and thus a user name will be; required; if a user decision node is 
encountered when checking the ACL). If set tqfa^se, then the user . decision 
nodes will be ignored and the true path of those nodes encountered when 
checking the ACL will be used. \ - : ■ ; ^ .r\ - 

25 to_region: the region number that the destination jaddress of this connection is in, 

from_region: the region number that the source address of this connection is in. 

filter_text_len: this is a pointer to an integer which has the length of the . 
30 fdter_text2iTray in it. This value will be set tothe amount of data returned by the 
access call on return. If the return value is . . 

ACL_NEED_MORE_FILTER_SPACE, then the value in this variable will 
contain the amoimt of space t:equired. . . , . , 
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to store the concatenated filter strings accumulated while checking the ACLs. 
rule_name_len: this is the size of the array rule_name, 

5 

rule_name: this is the name of the rule that allowed or denied the connection. 
Only a maximum of rule_name_len - 1 characters will be stored in there. 

. redirect_dst_addr_j>ort: this is the address and port to redirect this connection to. 
1 0 The system will set this to all zeroes if it is not in use. The port and address will * 
always both be set together in this structure if it is to be used. Only the sin _port 
and 5/«_arfrfr part of the structure will be used: 

redirect_src_addr_port: thiis is used to indicate to the firewall that when making 
1 5 the connection from the firewall to the destination, it should use the source 
address/port provided! Note that luilike the redirect jist_addrjport field only 
the parts of the address required will be filled out In particular, if the port is 
specified but not the address then the address field will be zero Similarly, if the 
address is specified but not the port, then the port will be zero. For the 
20 redirect jistjaddr j)ort^ if one or both field are specified then they are both 
returned (with the unspecified field left the same as the actual destination). 

master_key: this is the key that indicates which items have been licensed on the 
firewall. 

25 - 

connection_id: this is the connection id for this connection. When the service is 
finished you provide this id to the scc^servicejione system call and that 
function decrements the correct counters. 

30 Note that the user name will be used by the system to get the 

groups automatically behind the scenes in the library call. This means that the 
actual call to the kemel will have more fields, hi particular, there will bb a list of 
group names and a counter to indicate how many elements are in the list. 
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The second call will be: 

int scc_service_done(caddr_t connection_id); 



This call always returns zero now. The kernel will use the 
5 information in the proc structure for this process to decrement the connection 
counts for this connection. 

There is one other call that a proxy might have to make. When an 
ACL is updated, proxies have to recheck their connections to see if they can still 
make the connection. This is done as follows; 
10 . . . int scc_recheck_service( 

unsigned long seryice_number, . , . . . . , 

struct sockaddr_in *src__ip. 



/* usually null */ 

/* usually null */ 

/* null if none */ 

/* tell if name is valid */ 

/* id for this connection */ 



struct sockaddr_in *dst_ip, 

char *src_host_name, 
15 char *dst_host_name, 

char *user_name, 

int name_valid, 

caddr_t &connection_id 

/* return values */ - . 

20 int &to_region; ^ 

int &from_region; , ' , 

int &filter_text_len, 

char &filter_text, 

int rule_name_len, 
25 char &rule_name, 

struct sockaddr_in.&redirect_src_addr jDort, 

struct sockaddr_in &redirect_dst_addr_port, 

int &master_key 

); 

30 Returns from this will be the same as for the 

sccjts_service_allowed call except that connection _id is passed in as a 
parameter not. a return value. . 
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If tlic connection is not nl lowed, thicn. tlic countsrs srs 
automatically freed up and the proxy need not make any further calls for that 
connection. In the case of counter nodes, the recheck will fail until the counter is 
at an acceptable level. This means that, if the coimter has been decreased below 
5 current connection levels, the first connection rechecked will fail and so on until 
the current number of connections counter has been decremented enough. Thus, 
proxies should recheck services in order of lowest priority to highest priority 
(typically by checking the oldest sessions first, when that is possible). Note that 
short-lived proxies and servers started by secured cannot guarantee the order in 
10 which ACLs will be rechecked, since they will all get a HUP signal at the same 
time. 

The following new system calls were added to BSDI 3, 1 version 
of UNIX to support regions: 

rgnbindO allows a service on the firewall to listen for network 

connections only in the specified region. This allows us 
to. have different programs listening in different regions; 
for example, a caching WWW proxy for connections from 
internal to external and a non-caching proxy from SSN to 
external. In one embodiment, network servers were 
modified to use rgnbindQ instead of bindQ, to ensure that 
they handled traffic for the correct region. 
15 rgnctlO adds, deletes, and modifies regions and sets per-region 

. parameters: Members, router, connection refused, and 
ping response. 

rrctlQ sets region-to-region policy. Currently only handles 

network address translation, but could add other 
parameters in future. 

sec _getregionO . retrieve the region number for a given IP address 

scc_service_checksO . ; 

scc_backend_acI_callsO ' 
20 scc_service_doneO > 

sec _£et_service_countsO 
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Other changes include: 

initialization of region table al system startup time; 

• addition of a region number to the packet header data structure to 
5 record the region ID for every network packet received; 

addition of a field to the network interface data to record which 
region that interface belongs to; and 

addition of a field to the VPN security association data to record 
which region the VPN is belongs to. . 
10 • In the ICMP (Internet Control rylessage Protocol) processing, if 

the incoming packet is an ICMP ECHO_REQUEST (commonly known as a 
"ping"), check the region table and only respond if ping response is enabled for 
the region firom which the packet came; 

In the IPSec key and policy processing code, code was added to 
15 record the region ED associated with keys and policy table entries, and to 
manipulate keys and policies oh a region-by-regibri basis; 

• List of changed files: Region modifications were made to the 
following files within the BSD/OS kernel: 

20 kem/uipc_mbuf.c rietp61icy/pt__debugx 

kem/uipc__syscalls.c netpolicy/ptsock.c 

ACL/aclservice:c rietpolicy/policy.c 

hetinet/ip_input.c rietsec/ipsec.c 

netinet/injjcb.c rietsec/ipsec_ah.c 

25 netinet/in_pcb.h netsec/ipsec_esp.c 
netinet/ip_icmp,c ' sys/aclkem.h 

netinet/ip_tunneLc * sys/audit_codes.h 

netinet/raw_ip.c sys/mbUf.h 

netinet/tcp_input.c sys/regibn.h - 

30 netinet/udp_usrreq,c sys/sysctl.h 

netkey/key.c net/if.c . , . . ^ 

netpolicy/policy.h net/if.h 
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Region Determination Processing 

Referring to Figure 5, when a packet is received as shown in step 
80, the region ID is retrieved from the network interface and assigned to the 
5 packet in step 82. It is determined in step 84 whether the packet is encrypted, 
i.e., a VPN. If the packet is encrypted, processing proceeds to step 86 where the 
VPN security association for that packet is retrieved. The packet is then 
decrypted in step 88, and the previously stored region ID for that packet is 
replaced with the region ID of the VPN in step 90. All further operations take 

1 0 place on the decrypted packet. 

OMiriarily, a UMX system then checks whether the pac^^^ 
' destined for one of the firewairs IP addresses. If not, the packet is forwarded to 
the real destination. This has been modified in SecureOS to check that; (a) the 
destination is in the same region as -the source and (b) the "router" flag is set for 

15 that region, as shown in steps 92 and 94. If either condition is not met, the 
packet is not forwarded, as shown in step 102, 

In step 96, the system looks for any socket listening for the 
incoming packet. Traditionally this match looks at source IP address, source IP 
port, destination address, arid destination port. This has been extended in 

20 SecufeOS, as shown in step 98, to also check the region associated with the 
packet against the region specified in the rgribiridQ system call, to ensure that 
sockets receiye;:data originating only froiii the correct region. If all conditions 
are met, the packef is forwarded in step 100; otherwise, the packet is not 
forwarded (step 102). 

25 ' ' ■ This folowing example sets up three regions: internal, external, 

and Secure Server Net (SSN): ; 
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5 

The fields are: 



Name 


user specified region name 


Members 


physical interfaces and VPN encrypted connections that 
belong to this region. 


WeShowAddrTo 
We See Addr From 


the Network Address Translation configuration. This 
example. shows that the Internal region is hidden from 
all others, and that the SSN region is hidden from 
Extemal but visible to Internal 


Rtr 


if 1, the firewall acts a router bqt\yeei:i members.pf 
this region. In this example, packets would flovy 
between the L^ternal region and the . yPN.to .Waterloo 
as . if they were sirnpjy going through a jouter. . , 


Comi ; 


If 1, the firewall returns "connection refused" inessages 
if there is no service available on the requested network 
port. Setting this to 0 on external regions can help 
defeat network scanning attacks. 


Ping 


Respond to network pings (ICMP ECHO-REQUEST 
packets). Again, setting to 0 on extemal regions can 
help defeat network scans. 



15 



The following example shows a region of the firewall of the present invention 
configured to sit between two departments of a company and transparently filter 
and control network access between the departments. 
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The two regions can see each others* IP addresses; that is, no address translation 
is done. Nevertheless, network connections are only allowed if an access rule on 
the firewall grants permission. , 

The ACLs described above combine the services themselves, the regions 
that the services bridge, and the access control decisions. The user draws a graph 
which starts with a service and a to-from set. Next, the user creates a path 
consisting of the desired options which can include: time, session counts, 
authentication, encryption, users/groups, WWW filters, ftp filters, email filters, 
destination address re-writes, to addresses and from addresses. The user is 
building a decision tree. 

In the embodiment shown, some of the decision nodes in the tree have 
two paths from them to the next node (a true path and a false path) and some just 
have one path. The nodes that have one path are nodes which provide filtering, 
logging, or address rewrites. No decisions are made on filtering since filtering is 
performed in user level code. (For example, to make the implementation easier, 
the kernel will not try to implement SmartFilter. Instead, the result of the ACL 
check will be to provide a response which notes SmartFilter should be applied 
and supplies the categories which are to be blocked. The proxy will allow the 
connection provided that the SmartFilter check allows the connection.) 

As noted above, in one embodiment each node in the decision tree can be 
one of two types of node. The first type is a decision npde. The second type of 
node is a filter node. 

A decision node is one where the decision regarding the action to 
perform is done in the kemel. To the user, on the GUI, it means that they can 
have a true branch and a false branch. This node is implemented in user space 
in the service itself 
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A filter node is implemented in user space in the service itself. The 
service will ignore filters which do not apply to it. To the user, on the GUI, it 
means that they can only have a true branch. The ya/^e.branch is always a deny 
service. 

5 _ ■ 

Decision Nodes 

This section describes one embodiment of the decision nodes and their 
associated data structures. Also described are the system calls that will be 
available to work on the node. This design assumes that each ACL will consist 
10 of first a list of services, followed by some to/fi-bm region decisions, and then 
followed by anything else desired. 

The sec decision node is a. w« zc?« structure that looks like this: 



struct scc_decisibn_node { 
15 char *riode_descriptor 

loop_check; 

scc_decision_node *true_path; 
scc_decision___node ;,*f alse_p.ath; 
int ref erence_count ; 
20 int node_has_been_deleted; ^* 

int node_type; = . 

int debug_node ; 

union { • . : - 

scc__user^rec user_strTact; . .. 
25 scc_addr_rec addr_struct; 

scc__counter_rec •eoun:ter_struct ; 

scc_decision_nQde *subrule__ptr ; 

scc_date_rec date_struct ; 

scc_f ilter_rec f ilter_struct ;' 
30 . scc_log__rec lpg__struct; 

scc_rewrite_rec rewrite_struct ; 

scc_mat.;j_rec mat_stiruct7 
} detail_data ; 

} 

35 

node^type is one of: 

#de f i ne ACL- S ERVI CE_DEC I S I CN_NODE 
#def ine ACL_USER_DECISION_NODE 1 
40 #define ACL_ADDR_DECISION_NODE 2 
#define ACL_COUNTER_DECISION__NODE 
#define ACL_RlJLE_DECISION_NODE 4 
#define ACL DATE DECISION NODE 5 



0: ' 



3 
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#define ACL_FIIiTER_NODE 6 
#define ACL_LOG_NODE 7 
#define ACL_REDIRECT_NODE 8 
#define ACL_PERMIT_SERVICE 9 
5 #define ACL__DENY__SERVICE 10 

which describes which of the union pointers to use. And, in the case of the end of 
the path, the nodejype indicates if a permit or deny is to be used. 

Note that the subrule jptr is to implement the rule within a rule 

10 requirement of the GUI. 

If a decision to check is ^rwe, then the true^path is the next node to 
check. Similarly for a^^/^e decision. 

The node±descriptor is a character string which describes this particular 
node. There is no set definition for this description so the backend is free to 

1 5 enumerate nodes as it wishes and the GUI/backend can use node descriptors to 
glue together messages from the audit stream to trace through what is happening 
in the decision process. Also -we use the node descriptor as an index into a the 
node table. This table has as entries a pointer to each node for fast node lookup. 
If a node is deleted, then the node^hasjbeenjdeleted flag is set. If at any 

20 point in a ACL check we come across such a node we issue a deny. We use the 
refer ence_count to determine if we actually delete the node. Only when the 
reference count is zero do we actually free up the memory. 

The debug_node flag can be set to do various things as will be discussed 
below. ' 

25 We use the loop_check flag to prevent loops in the ACLs causing us to 

recurse forever. We set this flag to true when we enter this node for checking and 
after checking the children to the end we reset the value to false. If while 
checking the children we encounter a loop flag set to true we know we have . 
reached cycle in the tree. 

30 The Services node and regions node are special decision node which 

anchor the; decision tree. This allows for quick indexing by service number. To 
do. this, there will be an array of pointers ( sccjservice_array) indexed by the 
service number. The pointers point to and array of regions used by that service. 
There will be a variable max service number which the kemel will maintain to 
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use as a guild line for indexing into the service array. Each entry in the 
scc_servicejxrray will be a structure as follows: 



5 



s 




10 



Each service should have a unique number. but this will not be 
implemented in the kernel. Rather, the kernel will be given a service number and 
the kernel will allocate a bucket for that service. The kernel will be' unconcerned 
about which service this bucket actually belongs to. Note that the = • 
15 scc_service_rec is* not a part of the scc_decision_node listed above. ' ^-i? 

When we want to delete everything for an entire, service (a user defined 
service for example), we check to see: if all structiu*es pointed at by .the region 
array are empty. If not we mark this node as being deleted, Thef scc_service_recs 
pointed at by the region array will decrement the reference count as:they get 
20 deleted (and freed) and when the reference coimt is zero this.record is freed; 

struct scc_service__rec {; . ■ ■ . . - . 



the region _array using the to and from regions. If the entry has a value (i.e. the 



25 



30 




35 



When an ACL check is requested we use the service niunber to index into 
the table of services. Thiis leads us to a scc_service_def structure) We index into 



pointer is not NULL)'and if the riodejiasjbeenjdeleted flag is false, then this 
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scc_decision_node pointer to start traversing this tree. It no decision tree is 
found for this particular region-service combination, then the service is denied 
access. 

5 We will keep track of sessions for each service-region combination so 

that other programs can check to see the status of traffic on the box. Thus, every 
time a success is retumed, the counts here are increased and every time service 
de-registers, the proper coimter, current _sessionSy is decreased. The 
node_has_beenjdeleted is there for when the service record is to be deleted. In 
1 0 this case, processes will continue to decrement the current sessions until all the 
counts are zero. At that time, the memory will be freed. When we can free this 
structure we go back to the parent structure and NULL the entry in its 
region_array. If all entries are null then free that structure if it is marked for 
deletion. 

15 The user decision node is used to make decisions specific to users or 

groups of users. This structure is simple and goes like this: 

struct scc_user_rec { 

char **sorted_U3er_array; 
20 int nuniber_of_users; 

} 

If the user being checked is in the array of users, then the decision is 
true. If one of the groups that the user belongs to (also included in the system 
25 call) is in the array of users, then the decision is true. Note that users and groups 
are one and the same as far as the system goes. This means the GUI/backend 
must make sure that there is not a group called Andrew and a user called 
Andrew. 

If no user name was provided for the ACL check and if user names are 
30 relevant to this protocol (i.e. the name_yalid flag was set to.true in the ACL 
call), then if the calling process does not provide a user name. 



#def ine ACL NEED USER NAME 8 
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will be returned. The proxy would need to query for a user name and call again 
with that, information. 

The IP Addresses/Host Names decision node is used to make decisions 
that select for/against source or destination addresses or host names. 

5 

struct scc_addr__rec { 

int type; " ' " / 

char **sorted_hostname_array ; 
int number_of _naTnes ; 
10 radix tree of host nurabers/rietwork masks 

. } . - : ,. ...... 

Where type is either: - . ■ , ^ . 

15 #define .ACL_ADDR_SRC_CHECK 0 . . . - . 
#def ine ACL__ADDR_DST_CHECK 1 ' 

The same structure is used for a source address check and a destination 
address check. Note that if the adcfress/mask set does not contain the current 
20 address being examined and if sorted_hostname_array contains some data, then 
if the correct name was not provided in the AGL call to the kemel, the kernel 
will return the value: . 

#define ACL_RESOIiVE_SRC__ADDR 2 
25 #define ACL_RESOLVE_DST_ADDR "3= * ' 

indicating which address needs to be resolved vik a reverse DNS lookup, Tlie 
ACL would then be called again with the resolved name. 

Note that the list of host niame's must be in sorted order but the letters of 

30 the hostname must be reversed. For example, rafaeLtor.securecomputing.com 
would be moc,gnitupmoceruces,rotJeafar, These ari^! then put into sorted order. 
This allows the kernel to quickly process wild card entri'ejs. It is also important * ^ 
that uimeeded entries are not loaded into the keniel. For example if the user has 
specified * com, then no other entries of the form .com should be present in the 

35 list passed to the kemel. 
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The MaxiTTium Concurrent Sessions decision node provides the ability to 
put a choke on the number of concurrent sessions on a service or group of 
services. We want to have the abihty to program a counter to be shared among 
all the services on this path, or to have the counter count for each service 
5 individually. 

The structure to handle this looks like this: 



struct scc_count_rec { 

int service_specif icj_f lag; 
10 unsigned long current_count ; 

unsigned long Tnax_count ; 

unsigned long. total_.count ; 

scc_detail_count_rec **service_counters ; 

unsigned lonig riuTn__services ; ' 
15 ... ■., } . : ., . - .^ - 



Where the 5erv/ce_5/?ec//zc_;_^ag can have values: 

#def ine ACL^SHARE_COUNT; 0 ; 
20 #define ACL_INDIVID_COUNT 1 

and if the service_specificjlag has value ACL_SHARE_COUNT, then the 
shared count record is used. Otherwise, the array is used. Note the size of the 
array is stored in numjservices and the array is indexed as: 

25 

service_counters [se2rvice_number] , 



The sec jietail_count_rec is: 

30 struct scc_detail_count_rec { 

int number_regi6ns ; 

unsigned long se2rvice_number ; 

imsigned long *current_count ; 

unsigned long *total_count ; 
35 scc_decision^node *parent_record; 

int node has been deleted; 
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where the current count tells how many connections that use this counter are 
currently active. The total count is the total number of connections that have 
used this coimter. We use the max_count from the scc_couni_rec to determine 
the max. Thus the max is a shared value that all individual counts must adhere 
5 to. The arrays in the scc_detail_count_rec are indexed as: 

current_count[to_region] [from_region] . 

Each time a detailed record is allocated the parent decision node's 
10 reference count is incremented. 

The nodejiasjbeenjdeleted tells a process that is going to decrement 
the counter whether this node is being used or not. If set to false, then the record 
is in use and increments or decrements are done accordingly. If set to true, then 
when the count gets decremented to zero, the memory is freed up and the parent's 
1 5 reference counter is decremented. If the parent has been deleted and if the 
reference counter is set to zero then the parent node is freed. 

The node has beenjdeleted flag; in the detailed record, gets set to true 
(i.e. not zero) when the node itself goes away (the user has removed it from the 
diagram) or if the counter is switched from individual to shared service coimts. 
20 Note that each counter is indexed by to region and from region so that the count 
is unique on a service- from region-to region triplet. 

The parent_record pointer points back to the top level 
sccjdecision_node. The service number is there so that we can index into the 
service ^counters array and set the array pointer to NULL when we are preparing 
25 to free up memory. 

When the counter is switched from individual to shared service, then the 
records in the array are all invalidated. The totals of the covmts of the array are 
added up as the new total jcount for this node (in the parent record). In order to 
keep the counters correct, when we decrement a cotmter, check to see if the 
30 record has been deleted. If the record is marked as deleted and if the 

parent j^ecord is set to shared, then decrement the shared counter as well. If the 
individual counter is now zero, free up the memory as above. 
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******* u.wwxdAv/4A Axw*w yxv^vxuw'O tiivs auiiity lu use uaie ano ume as 
a means of restricting access to services. The structures look like this: 



stiruct scc_date_rec { 
5 unsigned long niimber__details ; 

scc_date_detail_rec *date_details ; 

stiruct scc_date_detail_rec { 
10 ' unsigned long start_seconds ; 

unsigned; long - end_seconds; 



The scc_date_rec is the top level structure and it has number jietails 
1 5 separate date rules. Each of those rules are in a scc_date_detailjrec. So, we 

have an array of structures in scc_date_rec each of which has a start seconds 

and an end seconds value. Each value is relative to the beginning of Simday. 

Thus, start second 0 and end second 1 would be allowing the connection only 

during the first second of Sunday. 
20 The backend must provide the records in sorted order by start second. 

A time and date decision is based on a series of time rules. We simply 

check the current time and day against each rule. If we find a rule where the 

current time and day falls in that rule, then the decision is the true path otherwise 

it is the false path, 

2^ . embodiment, to be a complete rule, a rule must consist of at least a 

services node and a region node and have all true and false branches terminated 
by tenninal nodes. If you plan to use a segment of a particular, rule in more than 
one rule, you can create a partial rule. Partial, or shared, rules can be added to 
any complete rule, 

30 In one embodiment, complete or.partial access rules can be configured 

using a graphical user interface such as is shown in Fig, 3, In order to configure 
a complete or partial rule one must perfonn the following general steps: 

1 ) decide if you want to create a complete or partial rule. 

2) select the services this rule will control. 

35 3) select the source region and destination region for the rule. 
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4) decide on a name for the rule. 

5) decide what nodes you want to add to this rule. 

The ability to create shared rule segments is built into the system as 
follows. A rule is simply a chain of decision nodes. After the chain of rules is 
5 completed, the decision path at the entry point to the sub-rule is taken based on 
the outcome of the rule. The filters and audit messages within the rule are still 
generated and accumulated. 

Log nodes direct the kernel to log messages to the audLit subsystem. The 
backend can fully specify the message to log. The structure is as follows: 

10 

struct scc_log_rec { 

■ char *audit_message ; = : ' 
int audit_message_type ; 

} ^ ■ ; . ^ ■ . ...... . 

The message will be of the form: 

audi t_pr int f ( audi t_mes sage_typeV ' 

AUDIT_A_JU^A,' ; . ; r- 

20 AUDIT_T_NETACL., 

AUDIT_Pjy[AJOR, ^ :,^ .-^ v. ■ ./> - . 

"%s from ACL log node: %s-%;; ^ * v / ... 
node_descriptor , 

audit_message) > ' * ' 

25 

Note that an scc_log_riode always takbs the tiiie path of the decision tree. 

In one embodiment, filters are just istrings which'the proxy iiitefprets to 
perform it*s filtering. The kemeT dbes none of thfe decision w6tk. Iii^tead; the 
kernel is given a pattern, arid if the node is rekched and if there is sorrie data for 

30 the decision made at that node, then the pattern is accumulated as a filter. AH of 
the filters are accumulated by tHe kernel, cbncateriated together 'and returned to ' 
the proxy as part of the system call. In such ah embodiment, the kernel requires 
no work to implement filters beyond the i-e-writing of addresses. 

A filter structure contains all the relevant filter data. The following shows 

35 the data and explains its use: 
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30 



I 



char *f ilter_string; 

int filter string length;. 

} ~ 



If the filter jstringjength is zero, then there are no filters otherwise, this fiher 
string is appended to the array passed in, in the ACL call by the service. 

The filters are as follows: encryption, authentication. 

The encryption filter requires that a connection is encrypted with a 
10 certain level of encryption. It v^iW be up to the user level process to verify that 
the requirements of the filter are met. If the requirements are not met the action 
is to deny the connection. 

The authentication filter requires that a connection is authenticated. One 
or more possible methods of authentication can be specified. This would only 
1 5 apply to those protocols that allow for a user name as part of the protocol. 
Currently this would h^: ftp, telnet, and WWW. 

There are a number of possible WWW Filters. For instance, SmartFilter 
can be used as described above. In addition, a WWW filter may block Java or 
ActiveX scripts. In one embodiment the SmartFilter filter can also specify which 
20 policy to use (for sites that defme multiple pohcies). These are performed by the 
caching WWW proxy only. One such embodiment also includes cookie 
blocking. 

Likewise, there are a nxmiber of possible FTP Filters. These include 
filtering on: GET, PUT, TASV, PORT, MKDIR, RMDIR, RENAME, 
25 DELETE, SITE, fihering on file size and filtering anonymous ftp. All filtering 
must be done by the proxy or server. 

Furthermore, there are a number of email filters required. This includes 
mail mapping and content blocking. Again the proxy/server must fulfil the 
requirements of the filter. 



Redtrpnt nndffi 

Redirect nodes act like filters since they only have one path out of them. 
Redirects are tables which map source or destination addresses to other source or 
destination addresses. Currently we only map destination addresses. The most 
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obvious use of redirects are to map connections coming into the firewall from 
the insecure side of a NAT region pair to a secure machine. In this case, the 
connecting host cannot see the hosts behind the firewall.- The redirects will map a 
connection coming to a given firewall address (could be one of many because of 
5 MAT) to the desired secure host. The kernel will only accept addresses (the UI 
can accept names providing it translates them to an address). The tables, whose 
structure is described below, will contain an entry for each MAT address that 
applies. 

Another use of redirects is to map an address going fi'om a region which 
10 can see all the hosts in the destination region. In this case, the redirect has only 
one entry which maps the address and port to the given address ^nd port. . 

The final case is one where, we might not know which of the above two 
apply. In that case, all possible MAT addresses might be present and a global 
rule in the case that the connection is not to the Firewall itself, is also present. 
15 This final case happens when you are using a redirect froni a rule within a rule. 
The structure for the redirect table is as follo\ys: 



struct scc_rewrite__rec { • . . * 

int node_type; 
20 int no_match__f lag.; ' . . : • . - ; 

int num__table_entries ; 
scc_rewrite_rule *rewrite_rur4s ;' 

} 

25 struct scc__rewrite_ruie { 

struct sockaddr_in check_addr; /*• including port 

*/ 

struct sockaddr_in netmask; ' /*' netmask used 
for checking */ . . 

30 struct sockaddr_in new^addr; /* including port 

-*/ ■ ' 

} • . . • : 



35 



The nodejtype is one of: 

ACL_SRC_REWRI TE_NODE 
ACL DST REWRITE NODE 
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Since the number of addresses to ch^ck ?\^^hxst are minimal^ we will 
leave the addresses in unsorted order. 

The redirect mapping goes as follows: 

1 . See if there is an address/port which matches the current 

5 connection. A port number of 0 means any port and an address of 0.0.0.0 means 
any address. 

2. If there is a matching address or port, to rewrite the addresses. 

3. Ifthere is no match address then if the «o_AnafcA _/7i3g^ is set to 
ACL_REWRITE_NO_MATCH_DENY then deny the connection. Otherwise 

10 leave the port and address unchanged. 

Note that if there are multiple redirect boxes on the path that allows a 

successful connection, then the one closest to the check mark has priority. Note 

also that those rules which do not change a value. I.e. if there is a rule which says 

for any address map port x to port y, then the address is not considered to be 
1 5 mapped and thus a redirect box, further away from the check mark could rewrite 

that address (but not the port). If there is a rule further away which re maps the 

address and, the port then that rule does not apply. 

One embodiment supports netmasks in the kernel. Such an embodiment 

masks the address to check with the netmask and check to see if it is the same as 
20 the check^addr. If so (and providing there is a port match) we have a match. 

Thus the c^ec/r_a</rfr and the netmask must match. 

MAT nodes 

These are nodes that handle MAT address on a single region interface. 

25 The GUI system allows the user to configure different behaviors depending on 
which address the connection came to the firewall on. To handle this the backend 
needs to put a MAT node as the node the service points to for those regions that 
have MATs. For example, if the user enables a service From " region 1 " to 
To "Firewall via .address a then a MAT node is needed. We only 

30 need MAT nodes for the firewall region provided that MAT has been defined for 
the firewall in that region. 

If an ACL check comes to a MAT node and if the destination address is 
not foimd in the list of addresses then the coimection is denied. 
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The structure used is: . 

struct scc_mat_rec { 

int num_mat_addrs ; 
5 struct • sockaddr__in *TPat_addrs; 

scc_deci s ion_ node * *next_node ; 
}; 

In one embodiment, there is a hash table that stores pointers to the 
10 decision nodes. The hash table consists of pointers to linked lists. The string is 
hashed to a bucket in the table and each bucket is the start of a linked list. A 
node when added to the table, the table is checked to see if the name is unique by 
looking at the string in the linked list that the string hashes to. If it is unique, 
then the node is added to the front of the hash table and if the liode i^ already 
1 5 present, an EEXFST error is retiuned. 

The hashing algorithm used is the sum of the characters in the name 
modulo the size of tfie table. Currently the table is static in size aiid is set to 
ACL_HASHjrABLE_SIZEXi.Q,'2()0 hnck^^^ v*- ;; 

All initialization is done using the scc^^ais/i^/wzV fuiiction which is called 
20 by scc_acl_init. The size of the hash table is stored in sccJdJnode_hashjsize 
and the table itself is stored in scc_d_node_tdble. 

Counters need to be kept consistent (i.e. correct j even when a process 
that holds a connection dies. There are several ways to do this. The current 
approach is to use the proc structure of the process making the system call. A 
25 new field will be added to keep track of each coimter used by that process and 
the number of concurrent uses of the counter. When the process dies, then the 
exitl code in the kernel will go through and clear the counters and free the proc 
space. 

In order to make sure that memory is not freed before a process is 
30 finished with it, we have a nodeJiasJbeen_deleted flag. This flag is part of 
' every counter and is set to true (i^e. not zero) if the counter is no longer in use 
and zero otherwise. If a process decrements a cun enl coxirit to zero arid if the flag 
is set to true, then the memory is freed since no process is using that memory. If 
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H fl?^g i? S6t to true Hnd the current count is Blrend^' zero, then the memcr^' is 
freed up immediately. 

The following describes one embodiment of the proc structure entry for 
the coimters. First, we have a linked list of counters based on a connection. The 
5 entry in the proc structure is: scc_ACL_cell *scc_ACL_head; Each cell in this 
linked list is as follows: 



struct scc_ACLi_cell { 

scc_ACL_cell *next; 
10 scc_ACL__cell *prev; 

s c c__s e rvi c e_r e c * s e rv i c e_r e c or d ; 
int nun±)er_of ^counters ; 

int * count er_type; /* shared or otherwise 

*/ 

15 void **counter__rec; 

} 



The connection id passed back to the proxy will be the actual pointer to 
the scc_ACL_celL Thus when the proxy does its free, we can very easily free up 
20 the coxmter space, free the memory, and re-attach the linked list of connection 
information. 

When a process exits, we check the linked list of ACL rules and free up 
any that are still in use by the process. 

When a new process starts up, we set the scc_ACL_head to NULL. 
25 When a process forks, the child's sccjiCLJiead is set to NULL. 



In Thfi Proxy 

The proxy will make two calls to the ACLs. The first call is: 

30 

int scc_is_service__allowed ( 

unsigned long service_nuTT±>er , 
struct sockaddr_in *src_ip, 
struct sockaddr_in *dst_ip, 
35 char *src_host_naTne, /* usually null */ 

char *dst_,host_name, /* usually null */ 

char *user_name, /* null if none */ 
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int name_valid, /* tell if name is valid 

/* return values */ 
int &:to_region ; 
5 int &f rom_region; 

int &f ilter_text_len, . 
char &f ilter_text , 

int rule_name_len, ■ - 

char &rule_name, 
10 struct sockaddr_in £credirect_slrc_addr__port , 

struct sockaddr_in &:redirect_dst_addr_port , 
int &master_key , 

caddr_t &connection_id . /* id for this 
connection */ 

15 ) ; . . 



The possible return values are: 

#def ine ACL_DENY 0 

20 #define ACL_ALLOW_HIDE_SRC 1 
#define ACL_ALLOW_HIDE_DST 2 
#define ACL_ALLOW_HIDE_BOTH 3 
#define ACL_ALLQW_SHOW_ALL. 4 . - ^, 
#define ACL_RESOLVE_SRC_ADDR 5 ^' 

25 #def ine ACL_RESOLVE_DST_ADDR- 6 ' ' : * - 
ttdefine ACL_NEED_MORE_FILTER_SPACE 7 
#def ine ACL NEED USER NAME 8 



Thus the ACLs will return, for each connection, how to hide the 
30 addresses. The description of each of these values is as follows: 

service_number: this is a number that the backend decides and is unique per 
service or possibly per service, from and to region triplet 
as desired. 

3 5 src_ip : this is the "source IP address of the coniiection. 

dst_ip: this is the destination IP address of the connection. 

src_host_name: this is the host nam^ based on.the reyerse lookup of the 

source address of the connection. This is generally only 
. . used when the kernel explicitly asks for it by returning 
40 from a previous call to scc_is_service_aUowed with a 

retum value of ACL RESOLVE SRC ADDR, 
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15 



20 



25 



user name: 



name valid: 



to_region: 
from^region: 
filter text len: 



30 filter text: 



rule name len: 



iiua lo iiic liudk. iioiiic uixscCi uii iiic reverse looKup oi me 
destination address of the connection. This is generally 
only used when the kernel explicitly asks for it by 
returning from a previous call to scc_is_servicej2llowed 
with a return value of ACLJiESOLVE_DST_ADDR. 
this is flie user name of the person using the service. This 
value is only used when ACL_NEEDJJSER_NAME has 
been returned by the kernel. Use NULL, if the name has 
not yet been requested. Currently only FTP, telnet and 
WWW support user names. 

this tells the ACLs whether or not a user name makes any 
sense for this protocol. If the name_yalid flag is set to 
TRUE, then user decision nodes will be used (and thus a 
user name will be required if a user decision node is 
encountered when checking the ACL). If set to false, then 
the user decision nodes will be ignored and the true path 
of those nodes encountered when checking the ACL will 
be used. 

the region number that the destination address of this 
connection is in. 

the region number that the source address of this 

connection is in. 

this is a pointer to an integer which has the length 
of ttie filter Jext array in it. This value will be set 
to the amount of data returned by the access call on 
return. If the return value is 
ACL_NEED_MORE_FILTER_SPACE, then the 
value in this Variable will contain the amount of 
space required. 

this is an array of characters of size filter ^ext Jen which 

will be useid to store the concatenated filter strings 

accumulated while checking the ACLs . 

this is the size of the array rule_name. 
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1 0 redirect_src_addr_port: 



15 



20 



rule_name: this is the name of the rule that allowed or denied the 

connection. Only a maximum of rule_name_len - 1 
, characters will be stored in there. 
redirect_dst_addr_port: this is the address and port to redirect this 

connection to. The system will set this to all zeroes 
if it is not in use. The port and address will always 
both be set together in this structure if it is to be 
used. Only the sin _port and sin_addr part of the 
structure will be used. 

this is used to indicate to the firewall that when 
making the connection from the firewall to the 
destination, it should use the source address/port 
provided. Note that unlike the 
redirect _dst_addr _port field only the parts of the 
address required will be filled out. In particular, if 
the port is specified but not the address then the 
address field will be zero! Similarly, if the address 
is specified but not the port, then the port will be 
zero. For the redirect _dst_addr _port^ if one or 
both field are specified then they are both returned 
(with the unspecified field left the same as the 
actual destination), 
this is the key that indicates which items have been 
licensed on the firewall. 

this is the connection id for this connection. When 
the service is finished you provide this id to the 
sccjservicejione system call and that function 
decrements the correct counters. 



master__key: 



25 connection id: 



30 Note that the user name will be used by the system to get the groups 

automatically behind the scenes in the library call. This means that the actual 
call to the kernel will have more fields. In particular, there will be a list of group 
names and a counter to indicate how many elements are in the list. 
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int scc_service_done(caddr_t connection_id); 

5 This call always returns zero now. The kernel will use the information in 

the proc structure for this process to decrement the connection counts for this 
connection. 

There is one other call that a proxy might have to make. When an ACL is 
updated, proxies have to recheck their connections to see if they can still make 
1 0 the connection! This is done as follows : 



int scc__recheck_se3rvice^( 

unsigned long- service_nuTnber , 
stmct spckaddr_in *src_ip, 
15 ' struct s6ckacidr_in *dst_ip, 

char *srG__host_name, o ■■/* usually null */ 

char *dst_host_name, /* usually null */ 

char *user_name, /* null if none */ 

int name_valid, /* tell if name is valid 

20 */ 

caddr_t &connection_id /*. id for this 
connection */ 

/* return values */ 

int Scto_region;, 
25 . int &:f roni_region; 

int if ilter_text_len, 

char 5:f ilter_text , 

int rule_name_len, 

char &rule_name, 
30 struct sockaddr_in S:redirect__src_addr_port , 

struct sockaddr^in Scredirect_dst_addr_port , 

int &;master_key 

) ; 



35 Returns from this will be the same as for the scc_is_service^allowed call except 
that connection jid is passed in as a parameter not a return value. 

If the connection is not allowed, then the counters are automatically freed 
up and the proxy need not make auy further calls for that connection. In the case 
of counter nodes, the recheck will fail until the coxmter is at an acceptable level. 

40 This means that, if the counter has been decreased below current connection 
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levels, the first connection rechecked will fail and so on until the current number 
of connections counter has been decremented enough. Thus, proxies should 
recheck services in order of lowest priority to highest priority (typically by 
checking the oldest sessions first, when that is possible). Note that short-lived 
5 proxies and servers started by secured cannot guarantee the order in which ACLs 
will be rechecked, since they will all get a HUP signal at the same time. 

In one embodiment, the backend is able to add, change, delete decision 
nodes. It also is able to insert new nodes into the tree. In such an embodiment, 
the following functions arjs provided to allow this to be done efficiently. All 

10 backend calls return 0 for success and -1 for failure. Later, errno will be used to 
determine what went wrong. 

The Adding New and Updating Nodes call is used to add or update a 
node. The same call is used to add a new node or update a node. If the 
nodejdescriptor is unique, then it is a new node, otherwise update the node. In 

1 5 both cases, the values must all be completely filled out. 



int scc_set_user_node { " 
char *node_descriptor , 
char **sdrted_user_arraLy , 
20 int number_of __users , 

char *true__child_node__descriptor 
char *f alse_child__node_descript;or): ; 



25 int scc_set_host_node ( - * " 

char *node_descriptor, • ' : 

int type, • /^*'» .src or dst check */ 

char **sorted_hostname_array, /* see below */ 
int number_of _name's , ' 
30 struct sockaddr__in *ip_addr/' /* array of structs 

of ip addrs */ 

struct sockaddr__in *ip_mask, /* array of structs 
of ip masks */ 
- int nuTnber_of_ip, ^. ^\ ' • r 

35 char *true_child_n9de_descriptor , 

char *f alse_child_node_descript6r) ; 



Note that the list of host names must be in sorted order but the letters of 
the hostname must be reversed. For example, rafaeLtor.securecdmputing.com 
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1 J 1. -•-» — 1 — J" — nri 4.1 X j 

This allows the kernel to quickly process wild card entries. It is also important 
that unneeded entries are not loaded into the kernel. For example if the user has 
specified * co/w, then no other entries of the form .com should be present in the 
5 list passed to the kernel. 



scc_set_count_node ( 
char *node_descriptor , 

int service_specif ic__f lag, /* share or not */ 
int Tnax_count, . : 

char *true_child_node_descriptor , 
char *f alse_child_node__descriptor) ; 

scc_set_time_node ( 
char *node_descript:or / 
scc_date_detail__rec *date_entries , 
int nurnber_date__entries , 
char *true_child_node_descriptor , 
char *f alse_child_node_descriptor) ; 

20 . ,v ...... 

Note that the date records must be in sorted order using start _seconds as the key 
to sort on. Note also that the date_entries field is an array of structs. 

int, scc_set_^f ilter_node ( , : , 
25 char *node_descriptor , 

char *f ilter_.string, ' /* list of filters 

*/ 

unsigned long f ilter_string_length, 
char *child_node_descriptor) ; 

30 

int scc_set_log_node ( 

char *node_descriptor , 

int audit_message_type, /* category of audit 
call */ 

35 char *log_message, /* message to output */ 

char *child_node_descriptor) ; 

int scc_set_rewrite_node ( 

char *node_descriptor, 
40 . int src_dst_f lag, 

int no_match_action, 
int nuniber_of__rewrite_3rules , 
scc_rewrite__rule *rewrite_rules , 
char *child_node_descriptor) ; 



int 

10 



int 

15 
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int scc_set_subrule_node ( 

char *node_descriptor, 

char *subruLe_head_descriptor, 
subrule */ 

5 char *true_child_node_descriptor , 

char *f alse_child_node_descriptor , /* NULL for 
service rec */ 



10 



15 



20 



25 



/* start of 



) ; 



int scc_set_mat_node ( 

int num__mat_addrs , 

struct sockaddr_in *mat_addrs, 
structs */ 

char **node_descriptors) ; 



/* array of 



Note that for the scc_setjnat_node system call, the two arrays must be 
in sync (i.e. the first MAT address uses the first decision node in the node 
descriptors array). 

Return values from these, are as follows: . , . ; 

EEXIST: there is already a node with this nodejlescriptor and it is 
different from the node required for the system call. 

ENOMEM: happens when che kemel is oiit of memory. 

ENOENT: happens when the node descriptor specified does not exist. 

EINVAL: happens when an invalid argufneht is provided to a system call. 

One example is if a NUiLL. true_child_nodejdescriptor is passed 
in as an argument. 



int scc_set_service_node { 
30 unsigned long service_number , 

backend */ ^ : . 

int to_region, 
int f rom_region , 
char *node_descriptor , 
35 int node_debug , " ' - - - . 

char *child_node_descriptor) ; 



/* made up by 



The service nodes are different from the other nodes. The reference is the 
service number not the node descriptor. The node descriptor is there for audit 
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15 



20 



then debugging is turned on recursively down the tree. 

For all nodes, the descriptor to use for the allow terminating node is the 
string _SCC_ALLOW. For the deny connection terminating node, use the string 
5 _SCCJDENY. 

Linking Nodes 

Nodes are linked in the same system call that they are built or updated 
from. Those nodes which only have one path through them only have one 
10 potential node leaving them. A child node can either be, a descriptor of an 
existing node, the string _SCC_ALLOW, or the string _SCC_DENY. 
_SCC_ALLOW and JSCC_DENyBie the accept and deny terminals of the tree 
respectively and otherwise the child is another scc_decision node. 

If the child node desired does not exist the system will return an error. 



Deleting Nodes 

If you want, to delete a node you use: 

int scc__delete_node(char *node_descriptor); 

for all nodes except service nodes. For service nodes you use: 



int scc_delete_service ( 
int service^number, 
25 int to_region, 

int f roTn_regipn) ; 



Note that this will mark the node as deleted. You must still rebuild the tree. If an 
ACL is checked and a deleted node is encoxmtered then the ACL will be denied. 
30 Also, the system will only delete nodes when the reference coxmt to that 

node is zero. All deleted nodes will be removed from the decision node table 
when the system call is made though. 

If you want to delete the service from all regions, then set the source and 
destination regions to -1; 
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Debugging Nodes 

You can set the debug value of a node ( debug_node field in the 
sccjdecisionjtode structure) by ORing bits. The possible values are: 



5 #define SCC_ACL_DEBUG__TRUE 0x1 
#define SCC_ACL_DEBUG_FALSE 0x2 
#define SCC_ACL_DEBUG_TIiy[E 0x4 

If the SCC^ACLJDEBUGJTRUE bit is set, then print a debug message when a 
10 true decision is reached at this node of the fomi': 



audit_printf ( 

AUDIT_F_KERN_^ACL, * • - 

AUD I T_A_ARE A , 

15 ■ AUDIT_T_DEBUG, ' ^ • - V 

AUDIT^P_MINOR,. • . , - ^^ - . -^v 

"ACL node: %s returned true.", 
d_node->node_descriptor) ; ' ' 

20 If the SCC_ACL_DEBUG_FALSE bit is set, then print' a debiig message 

w^hen a false decision is reached at this node of the form: 



audit_printf ( 

AUDIT_F_KERN_ACL , 
25 AUDIT_A_AREA, 

AUDIT_T_DEBUG, ' '* • ' 

AUDIT_P_MINOR , 

"ACL node: %s returned false.", 
d_node->node_descriptor) ; - 

30 ".^ 

If the SCC_ACL_DEBUGJTIME bit is set^ then print a debug message 

telling how much time was spent in this node in the form: 

audit_print:f ( , . ■ 

35 , AUDIT_F_KERN_ACL, . ... ^ 

AUD I T_ A_AREA , 
' AUDIT_T_DEBUG, - ' ■ ' -* 

AUDIT_P_MINOR, ; . ^ . : -^-z 

"\n\nNode \"%s\*' took %ld seconds arid %ld 
40 microseconds\n" 
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" dzi-ld^rsn. toclc %1— seconds s.rici %2.ci 
microseconds . \n" , 

d__node - >node_de script or , 

end.tv_sec, end.tv_usec, end_sub, tv_sec, 
5 end_sub. tv_usec) ; 

This will include all the time spent in subnodes as well. 

You can set the debugging value of a node using a separate system call: 



10 int scc_set_debug ( 

char *node_descriptor , 
int debug_value) ; 

For service nodes you should set the debug value in the set system call. 
1 5 Use the same possible values as above. 

Service TTsagc Statistics 

In one embodiment, the ACLs keep track of service counts for all 
services that use them. The counts are by service number, from region, to region 
20 triplet; Because we do not know before hand how many services there will be we 
implement this function in a two call method. A system call which could be 
used is as follows; 



int scc_get_service__coimts ( 
25 int calltype 

int *coimt_size, 

struct sec serv coiant *counts) ; 



The calltype can be one of: 

. 30 

#define SCC_GET_NUM 0 
#define SCC_GET_VALS 1 

Whencalled with calltype =3D=3D SCC_GET_NUM, this system 
35 call sets the value of count _size to be the number of elements that need to be 
allocated in the counts array; 
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When called with call type =3D=3D SCC_GET_VALS, this system 
call sets the entries in the counts array to the appropriate values. If for some 
reason the number of elements in the array countSy passed in count _size is not 
big enough, then the call returns with ENOSPC and passes the new number 
5 required back in count _size. Even if there is enough space, we return in 
count jsize the number of array elements used. 

Each entry in the counts array is defined as folloAys: 

typedef struct { 
10 unsigned long serv; , /* service number 

*/ 

int from; /* from region */ 

int to,-; /* to region */ 

unsigned long total_sessions ; /* since last 
15 reboot */ ' 

unsigned long current_sessions ; /* current active 

V 

} scc_serv_count ; ' * - ' .•• 

20 Gonclusion - • ' 

It is understood that the above* description is intended 'to be 
illustrative, and not restrictive. Many other embodiments will -be ajiparent to 
those of skill in the art upon reviewing the above description. The scope of the 
invention should, therefore, be determined with reference to the appended 

25 claims, along with the full scope of equivalents to which such claims are entitled. 
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WiiaL is Claimed is: 

1. A method of implementing a security policy, comprising the steps of: 
providing a plurality of access policies; 

defining a process; and 

connecting the access policies and the process to form a security policy. 

2. The method according to claim 1 , wherein the step of defining a process 
includes the step of creating an alert. 

3. The method according to claim 1 , wherein the step of defining a process 
includes the step of addiing a filter. 

4. The method according to claim 3, wherein the filter is a URL blocking 
filter. 

5. In a computer network having a plurality of separate networks, an access 
control mechanism comprising: 

a plurality of regions, including a first and a second region; 

one or more services bridging said first and second region; 

access cond*ol rules which define a security policy, wherein the access 
control rules limit data transfer by the one or more services bridging the first and 
second regions, wherein the access control rules are defined as a decision tree, 
wherein the decision tree includes a decision node and a first and a second 
branch and wherein the decision node includes a true and a false destination 
path, wherein the true destination path leads to the first branch and the false 
destination path leads to the second branch; and 

access control logic, wherein the access control logic operates with the 
access control rules to enforce the security policy. 

6. The access control mechanism according to claim 5, wherein the first and 
the second branches lead to other decision nodes. 
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7. The access control mechanism according to claim 5, wherein the decision 
tree further includes a filter, wherein the first branch leads to the filter. 

8. The access control mechanism according to claim 5, wherein the first and 
the second branches lead to other decision nodes. 



9. In a computer network system having a plurality of networks and a 
plurality of services, including a first service, wherein each service defines a 
protocol for transferring data between two of the plurality of networks, a method 
of limiting transfers between networks, comprising the steps of: 

defining a to-firom set, wherein the to-fi:om set lists a source network and 
a destination network; 

associating the to-fi-om set with the first service; 

defining a path, wherein the path includes desired options for limiting 
transfer firom the source network to the destination network via the first service; 

storing information regarding the to-firom set, the first service and the 
path as an access control rule; 

receiving a request to set up said first service between the source network 
and the destination network; 

comparing the request to the access control rule to determine access; and 

if access is allowed, establishing the service between the source and 
destination networks. 

10. In a computer network system having a pliurality of networks and a 
plurality of services, including a first service, wherein each service defines a 
protocol for transferring data bet\yeen two of the plurality of networks, a method 
of defining a security policy, comprising the steps of: 

defining a plurality of access policies, including a first and a second 
access poUcy, wherein the step of defining includes the step of creating a 
plurality of access policy routines, including a first and a second access policy 
routine, wherein the first access policy routine embodies the first access policy 
and wherein the second access policy routine embodies the second access policy; 
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forming a decision tree having a plurality of decision nodes, including a 
first, second and third decision node, wherein the first and second decision nodes 
enforce the first access pohcy and wherein the third decision node enforces the 
second access policy; and 

compiling a list of access control rules, wherein the step of compiling 
includes the step of replacing each decision node with one of the plurality of 
access policy routines. 

11. In a computer network system having a pliirahty of networks and a 
plurality of services, including a first service, wherein each service defines a 
protocol for transferring data between two of the plurality of networks, a method 
of enforcing a security policy, comprising the steps of: 

defining a plurality of regions, including a first and a second region- 
assigning each network to a region; 
defining a first and a second service; 

defining a plurality of access policies, including a first and a second 
access policy, wherein the first access policy limits communication between the 
first and second region using the first service and wherein the second access 
policy limits communication betWeen the first and second region using the 
second service, wherein the step of defining includes the step of creating a 
pluraUty of access policy routines, including a first and a second access policy 
routine, wherein the first access policy routine embodies the first access policy 
and wherein the second access policy routine embodies the second access policy; 

forming a decision tree having a plurality of decision nodes, including a 
first, second and third decision node, whereiri the first and sedond decision nodes 
enforce the first access policy and wherein the third decision node enforces the 
second access policy; 

compiling a list of access control rules, wherein the step of compihng 
includes the step of replacing each decision node with one of the plurality of 
access policy routines; 

receiving a packet from the first region; and 

accessing the list of access control rules to determine if the packet should 
be forwarded to the second region. 
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12. A method of achieviiig network separation within a computing system 
having a plurality of network interfaces, the method comprising the steps of: 

defming a plurality of regions; 

configuring a set of policies for each of the plurality of regions; 

assigning each of the plurality of network interfaces to only one of the 
plurality of regions, wherein at least one of the pluraHty of network interfaces is 
assigned to a particular region; and 

restricting communication to and from each of the plurality of network 
interfaces in accordance with the set of policies configured for the one of the 
plurality of regions to.which the one of the plurality of network interfaces has 
been assigned, 

13. A secure server, comprising: 
an operating system kernel; 

a plurality of network interfaces which communicate with the operating 
system kernel; and 

a plurality of regions, wherein a set of policies have been configured for 
each of the plurality of regions; 

wherein each of the plurality of network interfaces is assigned to only 
one of the plurality of regions; 

wherein at least one of the plurality of network interfaces is assigned to a 
particular region; and . .. 

wherein communication to and from each of the plurality of network 
interfaces is restricted in accordance with the set of policies configured for the 
one of the plurality of regions to which the one of the plurality of network 
interfaces has been assigned. 



wo 99/48261 



1 / 7 



PCTaJS99/05991 



0,1 



c 

Partn^ 
Shared Net 



( — 1 
The Internet 






Secur 


i^one 



r 



5^ 



3^ 



Secure Serve 
Network 



Company 
Private Net 



Figure 1 



wo 99/48261 PCT/US99/05991 

5 / 7 




Figure 3 



wo 99/48261 



6 / 7 



PCTAJS99/05991 



Oiedcfile 
for viruses 






Rewrite 







If it has a virus, 

alert tiie 
adimntstratxir! 



7f 

Redirect the transfer 
to a safe? location for 
latCTs inspection. . . 



Figure 4 



wo 99/48261 



7 / 



PCTAJS99/0S991 



» " L 



^4- 



<r6 



Receive a nacket 



Retrieve region ID from the networic 
interface and assign to the packet 



Is packet encrypted? 



If the packet is encrypted, retrieve the 
VPN security association for that packet 



Decrypt the packet 



Replace the previously stored region ID for 
that packet with the region ID of the VPN 



Check that the destination is in the same region as the source 



Check that the "router" flag is set for that region 



HO f 



If either condition is not met, the packet is not forwarded. 



Look for any socket listening for the incoming packet. 



NO 



^ Look at source IP address, source IP port, destination address, 
destination port, and check the region associated with the packet 
against the region specified in the rgnbindQ system call, to ensure that 
sockets receive data originating only from the correct region. Are all 

conations met? 
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